It seems the conductor_life_check_timeout option is not used in
the code entirely. We can just remove it at this point.
Change-Id: Ie07ede20f55593041319b3a52de8fca9f3b9514b
Label validator function has been left behind, although it's not
checking for anything right now - might be useful in future.
Change-Id: I74c744dc957d73aef7556aff00837611dadbada7
- Drop bay and baymodel tests
- Drop bay and baymodel from controllers
Depends-On: Ib85e4fda8e4ac467bd49590dc72ba5913bb9a19d
Story: 2009104
Task: 42957
Task: 42959
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
Change-Id: Ida2e42c86400438951d9804e3ce122c56a46b94f
ClusterType Template has been moved to Drivers since Change
I17ba94b0e2000486b5fcbf792991ad98183bd26c. There is no longer any need
to manage drivers since they are now loaded automatically now.
Also removed deprecated config option.
Change-Id: Ie72180b903c0c13b2291482516829bf7d340dd79
This period job has been deprecated since Change
I3ca0f2e96fe63870406cc5323f08fa018ac6e8be in Rocky/Stein.
As it defaults to disabled, it causes logs like the following to be sent
over and over again.
Running periodic task MagnumPeriodicTasks._send_cluster_metrics
Skip sending cluster metrics _send_cluster_metrics
Remove the code totally as it has basically been a noop for a few
cycles.
Change-Id: Ib9142ab17d562b1d7ccf1409a9e0d934585a094d
The volume v2 api was completely removed from cinder during Xena cycle.
Unfortunately we didn't update the api_version parameter, which defines
the cinder api version used, when we fixed the problem caused by
removal of volume v2 api[1].
This change fixes the outdated default and ensures the current v3 api
is used.
[1] 67acf2c5e9
Change-Id: Id8940684c996e9c4bb615269976238d3f65e8140
The default 10 seconds health polling interval is too frequent for most of
the cases. Now it has been changed to 60s. A new config
`health_polling_interval` is added to make the interval configurable.
Cloud admin can totally disable the health polling by set a negative value
for the config.
Task: 39795
Story: 2007683
Change-Id: Iad30487b8c119e94ee21d75f53fb86eb23dff365
A new config option `post_install_manifest_url` is added to support
installing cloud provider/vendor specific manifest after booted
the k8s cluster. It's an URL pointing to the manifest file. For
example, cloud admin can set their specific storageclass into
this file, then it will be automatically setup after created
the cluster.
Task: 35798
Story: 2006209
Change-Id: Ib5a2c5cd7970085db941f189613e175f622aea3f
Support boot from volume for Kubernetes all nodes (master and worker)
so that user can create a big size root volume, which could be more
flexible than using docker_volume_size. And user can specify the
volume type so that user can leverage high performance storage, e.g.
NVMe etc.
And a new label etcd_volme_type is added as well so that user can
set volume type for etcd volume.
If the boot_volume_type or etcd_volume_type are not passed by labels,
Magnum will try to read them from config option
default_boot_volume_type and default_etcd_volume_type. A random
volume type from Cinder will be used if those options are not set.
Task: 30374
Story: 2005386
Co-Authorized-By: Feilong Wang<flwang@catalyst.net.nz>
Change-Id: I39dd456bfa285bf06dd948d11c86867fc03d5afb
With the new config option `keystone_auth_default_policy`, cloud admin
can set a default keystone auth policy for k8s cluster when the
keystone auth is enabled. As a result, user can use their current
keystone user to access k8s cluster as long as they're assigned
correct roles, and they will get the pre-defined permissions
set by the cloud provider.
The default policy now is based on the v2 format recently introduced
in k8s-keystone-auth which is getting more useful now. For example,
in v1 it doesn't support a policy for user to access resources from
all namespaces but kube-system, but v2 can do that.
NOTE: Now we're using openstackmagnum dockerhub repo until CPO
team fixing their image release issue.
Task: 30069
Story: 1755770
Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
For k8s cluster, the loadbalancers created for LoadBalancer type
services should be deleted before the cluster deletion.
Change-Id: I75f44187b7be7d0ffb6a8f195f755de4b1564335
Closes-Bug: #1712062
Adding the client enables the manipulation of Octavia
resources with Magnum such as during cluster deletion,
being able to clean up non-heat created resouces.
Change-Id: I976ab136e24b98d447d61028ce07d0f5dd9d255a
story: 2004259
task: 27795
Currently, Magnum is running periodic tasks to collect k8s cluster
metrics to message bus. Unfortunately, it's collecting pods info
only from "default" namespace which makes this function useless.
What's more, even Magnum can get all pods from all namespaces, it
doesn't make much sense to keep this function in Magnum. Because
operators only care about the health of cluster nodes. If they
want to know the status of pods, they can use heapster or other
tools to get that.
Task: 22619
Story: 1775116
Change-Id: I3ca0f2e96fe63870406cc5323f08fa018ac6e8be
Add "trustee_keystone_region_name" optional configuration parameter
that allows Magnum to specify a region when searching for auth_url
in the Identity service.
This parameter is useful for multi-regional OpenStack installations
with different Identity service for every region.
Task: 22990
Story: 2002981
Change-Id: I5dd70ac0fdcbc19761833ccae3f5496c154f0804
Some configuration options were accepting both IP addresses
and hostnames. Since there was no specific OSLO opt type to
support this, we were using ``StrOpt``. The change [1] that
added support for ``HostAddressOpt`` type was merged in Ocata
and became available for use with oslo version 3.22.
This patch changes the opt type of configuration options to use
this more relevant opt type - HostAddressOpt.
[1] I77bdb64b7e6e56ce761d76696bc4448a9bd325eb
Change-Id: Id179ad55d4344a7dc2214896290890862b560e0c
Added configuration parameter, temp_cache_dir, to magnum.conf with
default value of "/var/lib/magnum/certificate-cache". This local
directory will hold cached cluster TLS credentials that are generated
during periodic tasks, to reduce load as the number of clusters
increases. If the temp_cache_dir does not exist, the certificates
will be created as tempfiles.
Closes-Bug: #1659545
Change-Id: I8808c4098a7c8d22dbfc841142c9f9c8b976dde1
The new config option 'disabled_drivers' is designed to address a
typical user case: As cloud provider, I'd like to only provide
some particular drivers, e.g. fedora atomic/k8s and don't expose
any other driver support. With this patch, when user create a new
template which is in 'disabled_drivers'. A BadRequest error will
be returned.
Closes-Bug: #1746961
Change-Id: Ib4c53ffed78a1847b2da9672e6348c88757ad66e
Added configuration parameter, send_cluster_metrics, to magnum.conf
with default value of True. If set to True, periodic tasks will pull
COE data and send to ceilometer. This parameter can be set to False to
disable periodic collection of data to avoid unnecessary load from the
cluster.
Closes-Bug: #1668330
Related-Bug: #1746510
Change-Id: I9945293e7b2b52731f6e220d0925c1f6ad097caa
Currently, there is no guarantee to make sure all nodes of one cluster are
created on different compute hosts. So it would be nice if we can create
a server group and set it with anti-affinity policy to get a better HA
for cluster. This patch is proposing to create a server group for master
and minion nodes with soft-anti-affinity policy by default.
Closes-Bug: #1737802
Change-Id: Icc7a73ef55296a58bf00719ca4d1cdcc304fab86
In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.
Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.
Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2
Add doc in troubleshooting-guide.
Add release notes.
Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.
Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>
Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
When creating a kubernetes cluster on baremetal & fedora, if the cluster
template does not have a docker_volume_type defined, the following error
is seen:
InvalidParameterValue: ERROR: The Parameter (docker_volume_type) was not
provided.
Cinder isn't mandatory, and neither is the docker_volume_type cluster
template parameter, so it shouldn't need to be set.
This change adds a default value of an empty string for the option
[cinder]default_docker_volume_type, which allows the cluster to be
created.
Change-Id: I4416e2826e4a14a11b93d55d342e4de9b3dc12d7
Closes-Bug: #1702075
Since we use docker >= 12.1 we can move to docker python SDK 2.x.x.
Docker 2.x.x is backwards compatible with older docker versions
using the APIClient instead of the DockerClient [1].
[1] https://docker-py.readthedocs.io/en/stable/api.html
Change-Id: I9e50a877de6e0a8c3ba56c2d7ebbbe336972a146
Close-Bug: #1696862
* add docker_volume_type for the cinder volumes which are
used for docker storage.
* add default_docker_volume_type configuration option
Related-Bug: #1678153
Change-Id: Ie18096acf24873ef91a904df4f1a84694a2bb644
Multiple process workers support for magnum-conductor.
Adds new option 'workers' to group [conductor] of magnum.conf.
Change-Id: If4d47769c97f756dbf5f45ac4413df7971731f21
Implements: blueprint magnum-multiple-process-workers
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.
A new variable in trust section: trustee_keystone_interface which
default to public is introduced.
Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
1) It checks that person who wants to trace is trusted and knows
secret HMAC key.
2) It starts tracing in case of proper trace headers
and adds first wsgi trace point, with info about HTTP request
* Add initialization of osprofiler at start of service
Currently that includes oslo.messaging notifer instance creation
to send Ceilometer backend notifications.
* Traces HTTP/RPC/DB API calls
Demo: https://hieulq.github.io/cluster-create-false-new-html.html
Co-Authored-By: Hieu LE <hieulq@vn.fujitsu.com>
Implements: blueprint osprofiler-support-in-magnum
Change-Id: I7d68995aab81d365433950aada078ef1fcd5469b
Adding config option to limit the max number of clusters
allowed per project. This limit is ignored if there is
an explicit hard limit set for a project in the 'quotas'
table.
Change-Id: I8a904de156c10c210e9e72999cdcbc28e374ea71
Partially-Implements: blueprint resource-quota
Multiple process workers support for magnum-api.
Adds new option 'workers' to group [api] of magnum.conf.
Change-Id: I0e8327ada6926602d577d1f36d384dd49426c7ee
Implements: blueprint magnum-multiple-process-workers
Centralize config option of urlfetch and periodic section.
Replace oslo_config cfg to magnum.conf.
Clean up some oslo_config import_opt and use magnum.conf.
Finish Implements: blueprint centralize-config-magnum
Change-Id: I11fb85159b260865beae9686734ca102ebc3154b